As part of Operation Return, TeamHav0k hackers revisited some of the vulnerabilities they found last year in government and university websites. Fortunately, the university websites appreciated the findings and patched up all the flaws, but government website administrators weren’t so eager to address the security holes.

“Last year these vulnerabilities were found by the team, so I decided to check them again to see if they were still vulnerable,” a member of TeamHav0k told us.

It turns out that the sites of the US State of Louisiana Office of Juvenile Justice and the Nigerian State of Jigawa still encapsulate the cross-site scripting (XSS) vulnerabilities they contained some while ago.

Pakistani government websites, such as the one of the City District Government of Multan, Government of Khyber Pakhtunkhwa, and the Ministry of Local Government and Rural Development, present the same weaknesses.

“Surprisingly they were still vulnerable so I figured 'eh…why not?' One thing that really annoyed me about this though was the constant use of the LIMIT function. Took me a while to dumb these, but eh… when you’re bored and got nothing to do it entertains you I guess :)”

To prove their findings, the hackers posted a proof of concept document on Pastebin under the name of Op Return, the information from the document being potentially useful for site administrators who want to address the issues.

Besides Operation Return, TeamHav0k also found an XSS vulnerability in a site that offers interesting facts about songs. The name of the site will be disclosed after its administrators confirm that the issue has been addressed.

TeamHav0k has been highly active on the grey hat scene recently, uncovering vulnerabilities in sites such as Yale University, US Department of Justice, NASA, which responded to our inquiry, and other major US military sites.